Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site tunnel with external IPs

I am trying to establish a site-to-site VPN tunnel with a customer that is using a 3000 series concentrator. The problem is that our internal LAN IP subnets overlap so they want me to use our public IPs to establish the tunnel.

I have three internal servers that need to use this tunnel and they are in the subnet. I have the server IPs mapping to external IPs with a NAT list on the ASA so each server has a unique IP in the world. The customer has configured their security to only allow traffic from these external IPs.

On the ASA I used the site-to-site VPN wizard to configure the tunnel and tripled checked all of the configuration information to make sure it was the same on both ends. When we try to connect nothing happens.

If I change the protected local network to my internal IP of 192.168.16.x and try to connect the customer gets an error on their end stating that there was a network mismatch and the connection was terminated. When I change the protected network back to the static external IP and try to connect nothing happens.

I am lost on this and would appreciate any help.

Hall of Fame Super Blue

Re: Site-to-Site tunnel with external IPs

If you are natting the server IP addresses then your crypto map access-list must use the Natted public addresses and not the original 192.168.16.x addresses.

The fact that nothing is happening suggests that the ASA does recognise the traffic needs encrypting.



Re: Site-to-Site tunnel with external IPs

It is very important to note that since both

sides have OVERLAP IP addresses scheme,

for this to work, BOTH SIDES have to NAT.

In other words, double-NAT is needed.

You NATted on your side, that is step one.

192.168.16.x = 1.1.1.x

The other side also needs to NAT as well.

Otherwise, how do you expect the thing to


This question has been asked many times.

Check some of my previous posts and you will

find the solution.

CreatePlease login to create content